Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 3 February 2009

Phishing: .gif not just for graphics

I've seen millions of phishing scams, and they've almost always had one thing in common - they pointed to server.com/phish/ or /phish/file.html etc. Today however, I saw something new (to me at least), the phishing link pointed to a .gif file;



a.gif however, isn't what it actually appears to be. All the phisher has done is configure the server to serve .gif files as it would a .html;

*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://ns2.dlb1.net/roundcube/temp/a.gif
Server IP: 74.202.84.155 [ ns2.dlb1.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 03 February 2009
Time: 15:52:23:52
*****************************************************************
<html>
<head>
<meta http-equiv="REFRESH"
content="0;URL=http://users.cvalley.net/danny/.new/">
</head>
</html>


This phish is also valid as;

ns2.annexa.net/roundcube/temp/a.gif



The headers for this e-mail show it was sent through either an open, or compromised mail server at;

mail.i-p-c.com (IP: 75.150.127.81)

Both cvalley.net and i-p-c.com have been notified.

No comments: